We recently discovered vulnerabilities that could be exploited in oarsub and oarsh in certain contexts, unless good configurations are applied.

The first vulnerability concerns a case where the oar user on frontend or nodes has special privileges by itself (e.g. using the ident protocol) on network services, such as the OAR Rest API.

The second vulnerability concerns the possibility to break OAR by arbitrarily creating a new file as the oar user somewhere unexpected.

Assuming OAR 2.5.7 or newer is installed, fixing the vulnerability is just a matter of configuration. The following configuration lines must be updated in oar.conf:

OPENSSH_CMD="/usr/bin/ssh -p 6667 -e none"
OPENSSH_OPTSTR="1246ab:c:e:fgi:kl:m:no:p:qstvxAB:CD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy"
OPENSSH_OPTSTR_FILTERED="1246b:c:fm:nqstvxBCNPQ:TVXYy"
OARSH_OPENSSH_DEFAULT_OPTIONS="-e none -oProxyCommand=none -oPermitLocalCommand=no -oUserKnownHostsFile=/var/lib/oar/.ssh/known_hosts"

They forbid the use of some of the OpenSSH options that are not wanted when used in OAR.

harden_oarsub_oarsh_vs_openssh_options.txt · Last modified: 2020/12/17 08:45 by neyron
Recent changes RSS feed GNU Free Documentation License 1.3 Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki